Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Deploying IOS firewall feature set

Hi All,

We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.

Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?

We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?

Any help would be really appreciated

Thanks

Regards

Anantha Subramanian Natarajan

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Deploying IOS firewall feature set

Hello Anantha,

"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.

"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"

If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.

Regards

Re: Deploying IOS firewall feature set

Anantha,

"we should be able to leave the other interface undefined"

Yes you can! leave them undefined. Setting an interface as "trusted" does only add an acl inbount to that trusted interface which denies traffic appears to be originated from other interface subnets, which is against spoofing attacks, and permits the rest of the traffic. This approach does not cause an administrative overhead actually, so it is for your benefit to choose an interface as "trusted" or "untrusted" but since it has no relationship with inspections, you can leave them unset.

Regards

6 REPLIES

Re: Deploying IOS firewall feature set

Hello Anantha,

"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.

"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"

If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.

Regards

New Member

Re: Deploying IOS firewall feature set

Hi,

Thank you very much for the answer ....

The background of this deployment is for one of our customers,they just want to enable to CBAC and day one wants to permit all traffic in either directions. Later seems they would be managing the CBAC in such a way that,it could provide effectively does statefull firewall inspection as you were mentioning...........

Yes we planning to set the ip inspect on the outbound direction of the untruseted interface and so as per my understanding from your cmment,we should be able to leave the other interface undefined.If this understanding not correct,please let us know or else thank you very much for the help

Regards

Anantha Subramanian Natarajan

Re: Deploying IOS firewall feature set

Anantha,

"we should be able to leave the other interface undefined"

Yes you can! leave them undefined. Setting an interface as "trusted" does only add an acl inbount to that trusted interface which denies traffic appears to be originated from other interface subnets, which is against spoofing attacks, and permits the rest of the traffic. This approach does not cause an administrative overhead actually, so it is for your benefit to choose an interface as "trusted" or "untrusted" but since it has no relationship with inspections, you can leave them unset.

Regards

New Member

Re: Deploying IOS firewall feature set

Thank you very much

Re: Deploying IOS firewall feature set

You are welcome and thanks for rating :)

New Member

Re: Deploying IOS firewall feature set

Thank you and the response was really helpful

138
Views
0
Helpful
6
Replies
CreatePlease to create content